Update Service Principals for Onboarded Azure Subscriptions and Tenants
This topic describes how to update the service principal used by CloudSecure for accessing customer Azure Resources and how to rotate the secret for an existing client when the secret expires.
Note
Use Case: You onboarded an Azure tenant a long time ago, and the service principal is about to expire. You can update the existing Service Principal, which is used by Cloud, with a new Service Principal by using the PowerShell script provided by Cloud during the onboarding process. Alternatively, you can create it on your own and make use of the custom PowerShell script to send the credentials back to Cloud. You can also run a command to create a new secret if your secret expires after one year.
Create a New Service Principal with the Cloud Onboarding Script
You can use the onboarding PowerShell script provided by Cloud to create a new Service Principal and update it in Cloud. Use the following commands, depending on your needs:
Azure Subscription Onboarding
If you want to use Read-only Mode, use this command:
Invoke-WebRequest -Uri https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/illumio-init.ps1 -OutFile (Join-Path $PWD.Path "illumio-init.ps1"); ./illumio-init.ps1 -sid <azure_subscription_id> -serviceAccountKey <service_account_key> -serviceAccountToken <service_account_token> -csTenantId <cs_tenant_id>; -url https://cloud.illum.io
If you want to use Read/Write Mode, use this command:
Invoke-WebRequest -Uri https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/illumio-init.ps1 -OutFile (Join-Path $PWD.Path "illumio-init.ps1"); ./illumio-init.ps1 -sid <azure_subscription_id> -serviceAccountKey <service_account_key> -serviceAccountToken <service_account_token> -csTenantId <cs_tenant_id> -url https://cloud.illum.io -nsg
Azure Tenant Onboarding
If you want to use Read-only Mode, use this command:
Invoke-WebRequest -Uri https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/illumio-init.ps1 -OutFile (Join-Path $PWD.Path "illumio-init.ps1"); ./illumio-init.ps1 -tid <azure_tenant_id> -serviceAccountKey <service_account_key> -serviceAccountToken <service_account_token> -csTenantId <cs_tenant_id>-url https://cloud.illum.io
If you want to use Read/Write Mode, use this command:
Invoke-WebRequest -Uri https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/illumio-init.ps1 -OutFile (Join-Path $PWD.Path "illumio-init.ps1"); ./illumio-init.ps1 -tid <azure_tenant_id>; -serviceAccountKey <service_account_key> -serviceAccountToken <service_account_token> -csTenantId <cs_tenant_id> -url https://cloud.illum.io -nsg
Rotate Secrets for an Existing Service Principal
The secrets for Azure Service Principal are set with an expiry of 365 days (1 year) when created using Cloud. After the expiry, use the following commands to create a new secrets and update them in Cloud.
Subscription Onboarding
Invoke-WebRequest -Uri https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/illumio-init.ps1 -OutFile (Join-Path $PWD.Path "illumio-init.ps1"); ./illumio-init.ps1 -sid <subscription_id> -serviceAccountKey <service_account_key> -serviceAccountToken <service_account_token> -csTenantId <cloudsecure_tenant_id>; -clientId <service_principal_client_id> -url https://cloud.illum.io -rotateSecret
To obtain the <service_principal_client_id>, from within the Azure Portal, do the following:
Go to Microsoft Entra ID and select App registrations from the menu.
Select the app registration that starts with
Illumio-CloudSecure-Accessand copy the client Id.
Tenant Onboarding
Invoke-WebRequest -Uri https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/illumio-init.ps1 -OutFile (Join-Path $PWD.Path "illumio-init.ps1"); ./illumio-init.ps1 -tid <azure_tenant_id>; -serviceAccountKey <service_account_key> -serviceAccountToken <service_account_token> -csTenantId <cloudsecure_tenant_id> -clientId <service_principal_client_id> -url https://cloud.illum.io -rotateSecret
Once you have created the new secrets, then you can follow the steps in Send Secrets Back to the Cloud.
Send Secrets Back to Cloud
If you have a new service principal with the required permissions, based on the type of onboarding, you can run the following PowerShell script to send the secrets back to Cloud. Copy and save the contents to a file with the .ps1 extension, e.g., "web_request.ps1" or something similar.
Before running the script the following information in the file should be changed to your actual values:
<YourServiceAccountKeyId> - Cloud's service account key id. Service account can be created under Settings
<YourServiceAccountToken> - Token of the service account being used
<Your ClientSecret> - New Service Principals secret
<CloudSecureTenantId> - Customer's CloudSecure Tenantid
<ClientId> - New Service Principal's client id
<SubscriptionId> - Azure subscription Id. This is required only for subscription onboarding. If the onboarding type is an Azure tenant, remove the entire line.
<AzureTenantId> - Azure Tenant Id of the customer
PowerShell Script
# Set your service account key ID, token, and client secret
$serviceAccountKeyId = "<YourServiceAccountKeyId>"
$serviceAccountToken = "<YourServiceAccountToken>"
$clientSecret = "<YourClientSecret>" # The actual client secret to be encoded
# Combine the key ID and token with a colon and base64 encode for the Authorization header
$authString = "$($serviceAccountKeyId):$($serviceAccountToken)"
$encodedAuthString = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($authString))
# Base64 encode the client secret separately
$encodedClientSecret = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($clientSecret))
# Construct the headers with the encoded Authorization header
$headers = @{
"X-Tenant-Id" = "<CloudsecureTenantId>"
"Content-Type" = "application/json"
"Authorization" = "Basic $encodedAuthString"
}
# Construct the request body with the encoded client secret
$body = @{
"type" = "AzureRole"
"client_id" = "<ClientId>"
"client_secret" = $encodedClientSecret # Use the base64 encoded client secret
"subscription_id" = "<SubscriptionId>" # remove this and use azure_tenant_id if onboarding the entire tenant.
"azure_tenant_id" = "<AzureTenantId>" # both azure tenant id and subscription_id should be present for subscription onboarding.
} | ConvertTo-Json -Depth 10
# Send the POST request$response = Invoke-RestMethod -Uri 'https://cloud.illum.io/api/v1/integrations/cloud_credentials' -Method Post -Headers $headers -Body $body
# Output the response
Write-Host $response